Acymailing vulnerability exploited in the wild

  • Jose
  • Topic Author
  • Offline
  • Administrator
  • Administrator
6 months 3 weeks ago - 6 months 3 weeks ago #9552 by Jose
Hi there,

A couple of days ago, Securitycheck Pro alerted about a new file in a site of a customer I manage. The file, named "thumbnail_91.png_.php", it was a php file hide behind a png extension:
After some further investigation, I discovered that attackers were using an unknow vulnerability in Acymailing to upload the file. I contacted the developers, who confirmed the vulnerability and a patch in a future version.

In the meantime, add the words "setNewThumbnail" and "setNewIconShare" to the url inspector to be protected, or edit the file /administrator/components/com_acym/controllers/mails/Edition.php and in the setNewThumbnail function near line 800, add this code:

It should look like this:

Update [05/07/23]: In older versions of Acymailing the path is /administrator/components/com_acym/controllers/mails.php

Last edit: 6 months 3 weeks ago by Jose.

Please Log in or Create an account to join the conversation.

Time to create page: 0.140 seconds